search

Uninett / drf-oidc-auth

OpenID Connect authentication for Django REST Framework
MIT License
0 stars 0 forks source link

Invalid Authorization header. JWT Signature verification failed #22

Open f-denkena opened 2 weeks ago

f-denkena commented 2 weeks ago

While running the package, the following issue appears (python 3.12, django 5.0, drf 3.15):

Creating test database for alias 'default'...
System check identified no issues (0 silenced).
.........Invalid Authorization header. JWT Signature verification failed.
Traceback (most recent call last):
  File "/var/www/drf-oidc-auth/oidc_auth/authentication.py", line 148, in decode_jwt
    id_token = jwt.decode(
               ^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7515/jws.py", line 101, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7515/jws.py", line 254, in _prepare_algorithm_key
    key = key(header, payload)
          ^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7519/jwt.py", line 165, in load_key
    return key.find_by_kid(header.get('kid'))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7517/key_set.py", line 29, in find_by_kid
    raise ValueError('Invalid JSON Web Key Set')
ValueError: Invalid JSON Web Key Set
............Invalid Authorization header. JWT Signature verification failed.
Traceback (most recent call last):
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/jwt/api_jws.py", line 257, in _load
    signing_input, crypto_segment = jwt.rsplit(b".", 1)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: not enough values to unpack (expected 2, got 1)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/www/drf-oidc-auth/oidc_auth/authentication.py", line 146, in decode_jwt
    issuer = self.get_issuer_from_raw_token(jwt_value)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/oidc_auth/authentication.py", line 191, in get_issuer_from_raw_token
    claims = self.get_claims_without_validation(token)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/oidc_auth/authentication.py", line 198, in get_claims_without_validation
    return pyjwt.decode(token, options={"verify_signature": False})
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/jwt/api_jwt.py", line 210, in decode
    decoded = self.decode_complete(
              ^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/jwt/api_jwt.py", line 151, in decode_complete
    decoded = api_jws.decode_complete(
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/jwt/api_jws.py", line 198, in decode_complete
    payload, signing_input, header, signature = self._load(jwt)
                                                ^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/jwt/api_jws.py", line 260, in _load
    raise DecodeError("Not enough segments") from err
jwt.exceptions.DecodeError: Not enough segments
..Invalid Authorization header. JWT Signature verification failed.
Traceback (most recent call last):
  File "/var/www/drf-oidc-auth/oidc_auth/authentication.py", line 148, in decode_jwt
    id_token = jwt.decode(
               ^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/www/drf-oidc-auth/.tox/py312-django50-drf315/lib/python3.12/site-packages/authlib/jose/rfc7515/jws.py", line 104, in deserialize_compact
    raise BadSignatureError(rv)
authlib.jose.errors.BadSignatureError: bad_signature: 
.............
----------------------------------------------------------------------
Ran 36 tests in 0.079s

OK
Destroying test database for alias 'default'...
stveit commented 2 weeks ago

Hello @f-denkena

Did you only get these errors while running the tests or while using the package?

As you see on the bottom, the test runner reports "OK" indicating the tests passed. The error messages you see are logs that were made during tests that purposely cause these errors to occur in order to make sure the program handles them correctly. It doesnt mean the tests failed, just that some error occured, was logged, and then handled in the correct manner :)

Specifically these logs are created here https://github.com/Uninett/drf-oidc-auth/blob/85dbee3010cf1e7e1d2dfd1e14b7e8186562f9d8/oidc_auth/authentication.py#L156

Please let me know if this is not a satisfactory answer